eu trade secrets directive & data protection changes

EU DEVELOPMENTS:

THE TRADE SECRETS DIRECTIVE AND

THE GENERAL DATA PROTECTION REGULATION

Presented by: Robert Lands, Head of IP and Commercial, Howard

Kennedy

www.howardkennedy.com


Trade Secrets

• Protection of trade secrets under English law

• The new European Directive

• Practical steps to improve your position


Trade Secrets in the UK

• No specific legislation

• No formal definition

• Not considered to be intellectual property

• BUT yet…


Trade Secrets in the UK

• Trade Secrets / Know-How protected as confidential information

• “Know-How” defined in competition law

• Confidentiality- Contractual or equitable claim

• Two tracks of case law in commercial and employment cases


Coco v AN Clark (Engineers) Ltd [1969]

Three step test:

• information must be confidential in quality and nature;

• it must be imparted so as to import an obligation of confidence; and

• there must be an unauthorised use of that information resulting in the detriment of the party communicating it.


Proposed EU Directive

Directive of the European Parliament and of the Council on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.



• Why?


Trade Secrets in Europe Today

Austria, Bulgaria, the Czech Republic, Estonia, Germany, Finland, Greece,

Hungary, Italy, Latvia, Lithuania, Poland, Portugal, Romania, Slovakia,

Slovenia, Spain, and Sweden

Belgium, France, Ireland, Luxembourg, Malta, the Netherlands and the UK

TRADE SECRET LEGISLATION NO TRADE SECRET LEGISLATION



• Why?

• Key features


Proposed EU DirectiveKey FeaturesDefinition of Trade Secret:

Information which:(a) is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;(b) has commercial value because it is secret;(c) has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.



• Acquiring TS intentionally or with gross negligence by unauthorised access or copying of documents/materials containing TS (or from which they could be deduced), or obtaining these by theft, bribery, deception… or any other conduct contrary to honest commercial practices.

• Use or disclose an unlawfully acquired TS in breach of an NDA or duty of secrecy; or in breach of a contractual or any other duty to limit the use of the TS.

Key Features

Unlawful Acts:



• Use or disclose the TS if the person disclosing knew, or should have known, that it was obtained from a third party that was using or disclosing the TS unlawfully.

• Consciously or deliberately produce, put on the market or import, export or store infringing goods (those whose design, quality, manufacturing process or marketing significantly benefits from TS unlawfully acquired, used or disclosed).

Key Features

Unlawful Acts:



• The acquisition of trade secrets shall be considered lawfulwhen obtained by any of the following means:– independent discovery or creation;– (b) observation, study, disassembly or test of a product or object that

has been made available to the public or that it is lawfully in the possession of the acquirer of the information;

– (c) exercise of the right of workers representatives to information and consultation in accordance with Union and national law and/or practices;

– (d) any other practice which, under the circumstances, is in conformity with honest commercial practices

Key Features

LAWFUL Acts:


Proposed EU DirectiveKey Features• No new IP right• No new criminal offences• A minimum standard of protection:

– Member States must allow trade secret holders to apply to their national courts to remedy unlawful use or acquisition of their trade secrets

– remedies must be "fair, equitable, economical and effective".

• Limitation period = 3 years• Special rules for litigation



• Why?

• Key features

• June 2015 amendments


NOT unlawful:

• to make legitimate use of the right to freedom of expression;

• to reveal misconduct or illegal activity, provided that the respondent acted in the public interest (EG public safety, consumer protection, public health or environmental protection);

• to protect “a legitimate interest recognized by national law”.

ALSO:

• Law does not affect the disclosure of business-related information by the EU institutions and national public authorities (IE FOI)

Safeguards for Freedoms


• Directive does not affect the use of information, knowledge, experience and skills honestly acquired by employees in the normal course of their previous employment.

Safeguards for Employees



• Why?

• Key features

• June 2015 amendments

• Next steps

– First reading/single reading: 24 Nov 2015


Practical Tips

• Don’t tell anyone!

• But if you have to:

– Mark confidential documents as confidential.

– Use legally binding NDAs!

– Don’t over-reach

– Create a duty of confidence

– Plant seeds

• Keep an eye on the EU.


The EU General

Data Protection Regulation


Data Protection: Where are we now?

1. The Data Protection Act 1998 (“DPA”) from 1995 EU Directive

2. The Privacy & Electronic Communications Regulations 2003 (“PECR”)

3. The EU General Regulation on Data Protection (2015-ish)


Data covered by the DPA

• Wide definition – “Personal Data" means data which relate to an

identifiable living individual

• Manual data– If stored in a relevant filing system

• “Sensitive Personal Data”– Racial/ethnic origin; political opinions; religious

beliefs; membership of TU; health; sex life; criminal offences


Key Features of the DPA• Rights for Data Subjects (EG Subject access)• Requirement for Data Controllers to register with ICO

(“Notification”)• 8 Principles of Data Protection

Personal Data must be:– Fairly and lawfully processed – Processed for limited purposes – Adequate, relevant and not excessive – Accurate – Not kept for longer than is necessary – Processed in line with individuals' rights – Secure – Not transferred to countries without adequate protection

• Conditions for processing


Conditions for Processing

• SCHEDULE 2 CONDITIONSEG:

– Consent

– processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.


Conditions for Processing

• SCHEDULE 3 CONDITIONS(When dealing with SENSITIVE PERSONAL DATA)

EG

– Explicit consent

– Processing is necessary to protect the vital interests of the data subject or another person


Common Failings• Breach of 1st Principle (fairly and lawfully processed). Fair

processing notice should give-– Identity of data controller

– Purpose(s) for which data processed

– Any further info to make processing fair having regard to circumstances

• Breach of 3rd Principle (“adequate, relevant and not excessive”).

• Breach of the 7th Principle (adequate security).

• Failure to comply with the conditions of processing.


Privacy & E-Coms Regs

• Anti-spam law

• Soft-opt in for customers

• Cookie rules


Scary Consequences

• Complaint to ICO– Enforcement Notice

– Fine – up to £500,000 (currently)

• Law Suit – Damage and distress.

• Criminal Prosecution


EU General Data Protection Regulation

• Proposed by EU Commission Jan 2012

• Modernising and harmonising

• 4,000 proposed amendments by EU Parl.

• 24th June 2015 – Trilogue begins

• Planned adoption – End 2015

• Entry into force 2017(Or thereabouts)


Key changes in the GDPR

• Fines of up to EUR100 million or up to 5% of annual worldwide turnover, whichever is greater.

• Processors and Non-EU based Data Controllers caught by rules.

• Changes to definitions of personal data etc.

• Limits on profiling

• Privacy impact assessments

• Transparency – detailed notices


Transparency

– Proposed Icons


Key changes in the GDPR• Consent - Freely given, specific, informed and explicit, and

demonstrated either by a statement or affirmative action.

• Enhanced subject access

• New right to be forgotten/ erasure

• New right to data portability

• Mandatory Data Protection Officers

• Data security breach notification

• Documentation instead of notification


Be Afraid Prepared

• GDPR is the biggest change in 20 years

• “Accountability” is the theme

• Preparedness is the best response:

– Develop breach notification protocol

– Consider policies/systems for new rights

– Check contracts with IT suppliers

– Keep an eye on EU developments

Questions?

Comments?

Abuse?

Robert Lands

Head of IP and Commercial

Howard Kennedy LLP

1 London Bridge

London

SE1 9BG

[email protected]

eu trade secrets directive & data protection changes

Business